Okta Integration
Customer IT / SpaceIQ Onboarding Team
SpaceIQ (SiQ) supports integration with Okta and this article details how to configure the Okta provisioning integration for SiQ.
The following Okta integration features are supported:
- Push New Users - New users created through Okta will also be created in the SiQ application.
- Push Profile Updates - Updates made to a user's profile through Okta will be pushed to the SiQ application.
- Push User Deactivation
- Deactivation means the removal of all a user's data and deleting the user's account.
- Deactivating the user or disabling the user's access to the application through Okta will delete the user in the SiQ application.
It is not possible to pull users or profile updates within SiQ from Okta. They must be pushed.
Contents
- Prerequisites
- Integration Activities
- Logout Redirect
- SiQ Login Flow (SP-initiated Login)
- Attribute Mappings from SiQ to Okta User Profile
- Troubleshooting Tips
Prerequisites
Before you configure SCIM-based provisioning for SiQ, make sure you have configured, enabled, and verified SAML support between your Okta implementation and SiQ.
You will need Okta admin privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.
Integration Activities
Step 1. Activate the Okta Integration in SiQ
From the SiQ Web App, complete the following:
- Click your Profile Name in the top right corner.
- Click Settings. The Settings screen displays.
- From the left menu, click Integrations.
- From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.
You can either search for Okta in the Search field or navigate to Okta tile. To navigate complete the following:
- From the left menu, click Provisioning & SSO.
- For Okta, click the Activate button.
The Okta dialog displays and it contains a Provisioning tab and an SSO tab.
Step 2. Add a new SiQ app into Okta
Okta distinguishes between an application and the instances of that application. Within Okta, an app admin can be granted access to all instances of an app, or just specific instances of that application.
You must be an admin within Okta in order to provision the SiQ integration.
The screenshots below are from the Admin Dashboard (Classic UI).
Complete the following in Okta:
- From the menu, click Applications. The Admin Dashboard (Classic UI) displays.
- Click the Add Applications button. The Add Application screen displays.
- In the Search field, enter SiQ.
- Click Okta's SiQ app. The SiQ app displays.
- Click the Add button.
Optional - In the Application label field, enter a descriptive label or name for your SiQ application within Okta and update your visibility settings.
- Click the Done button.
Step 3. Set up the SiQ app Sign On Details
From Okta’s SiQ app, you will copy the Sign On details from Okta into your SiQ Web App.
- Click the Sign On tab.
- Click the View Setup Instructions button. This displays the online instructions which tell you what to do.
- Scroll down Okta's instructions to step 5 and this lists the following:
- SAML Identity Provider
- X.509 Certificate
- Okta Portal URL
Step 3.1 Copy and paste the SAML Identify Provider Issuer
From the Okta instructions, complete the following:
- From the SAML Identify Provider Issuer field, copy the URL.
Return to your SiQ Web App and complete the following:
- From the SSO tab, in the SAML Identify Provider Issuer field, paste in the URL.
Step 3.2 Copy and paste the X.509 Certificate
Return to the Okta instructions and complete the following:
- From the X.508 Certificate field, copy the certificate.
Make sure that you include the ---- BEGIN CERTIFICATE ---- and the ---- END CERTIFICATE ---- in the copy as this is part of the certificate.
In your SiQ Web App, complete the following:
- In the X.509 Certificate field, paste in the certificate.
- Click the Activate button.
Step 3.3 Copy and paste the SAML Callback Endpoint URL
The Okta Integration displays in the active integration list.
- Click the Okta Integration. The Okta dialog displays.
- Click the SSO tab.
The SAML Callback Endpoint URL is now generated.
- Click the Copy
icon.
Return to Okta’s Sign On tab.
- Click the Edit button and then scroll down.
- In the SAML CallBack Endpoint URL field, paste in the URL.
Step 3.4 Copy and paste the Audience URL
- Return to SiQ and complete the following:
- For the SAML Audience URL field, click the Copy
icon.
- Return to Okta’s Sign On tab.
- In the SAML Audience URI field, past in the URI.
Step 3.5 Set the Credential Details
From Okta’s Sign On tab, complete the following:
- From the Application username format select Email.
- Click the Save button.
Step 4. Set up Provisioning with the SCIM Bearer Token
From SiQ, complete the following:
- Click your Profile Name in the top right corner.
- Click Settings. The Settings screen displays.
- From the left menu, click Integrations.
- From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.
- In the Search field, enter Okta. The Okta dialog displays.
- For the SCIM Bearer Token, click the Copy
icon to copy the token and paste it to a secure temporary location as you will use this to configure Okta’s SiQ instance.
- Click the Okta’s Activate.
From Okta, complete the following:
- Click the Provisioning tab.
- Click the Configure API Integration button.
- Tick the Enable API Integration check box.
- In the API Token field, paste in the SCIM Bearer Token.
- Click the Test API Credentials button to make sure the credentials work.
- Click the Save button.
Next, enable the Okta Action Items.
Step 5. Enable the Okta Action Items
You will need to enable the Create Users, Update User Attributes, and Deactivate Users.
From Okta's To App screen, complete the following:
- Click the Edit button.
- Check the Enable check box for the Create Users, Update User Attributes, and Deactivate Users.
- Click the Save button.
Step 6. Assign People or Groups to the SiQ App
You can assign the people or groups within your Okta organization.
From Okta, complete the following:
- Click the Assignments tab.
- Click the Assign button.
- Select either Assign to People or Assign to Groups.
After you have assigned people or groups then your users can log in to the SiQ Web App.
Logout Redirect
When a user logs out of the SiQ Web App, they can be redirected back to the user's home page. To configure the logout redirect, an administrator must configure the domain URL in the SSO configuration property with the value to the user's home page.
From the SiQ Web App's Okta Integration, complete the following:
- Click the SSO tab.
- In the Okta Portal URL field, enter the URL.
Example:
https://<yoursubdomain>.okta.com/app/UserHome
- Click the Save button.
SiQ Login Flow (SP-initiated Login)
SiQ also supports login SSO authentication initiated from inside the SiQ Web App. The operation typically occurs when a user lands on the SiQ Web App without signing into the application first.
In order to configure SP initiated login an admin must set the redirect URL to Okta portal.
Step 1. Copy either the Embedded Link or the URL in the Identity Provider Metadata from Okta
The URL can be obtained from two different sources:
- Embedded Link
- Identity Provider Metadata Location
Embedded Link
From Okta, complete the following:
- Click the Applications menu.
- In the Search field, search for the SiQ app.
- Click the SiQ app to open it.
The SiQ App screen displays.
- Click the General tab.
- Scroll down to the screen to the App Embed area.
- Copy the Embed Link URL.
Go to Step2 below.
Identity Provider Metadata
In order to obtain location URL from metadata, an Okta admin should again log in and
From Okta, complete the following:
- Click the Applications menu.
- In the Search field, search for the SiQ app.
- Click the SiQ app to open it.
The SiQ App screen displays.
- Click the Sign On tab.
- Scroll down to the Identity Provider Metadata area.
- Click the Identity Provider link to display the XML metadata.
- Locate the URL, look for the line that has SingleSignOnService, with an HTTP-POST method.
- Copy the URL.
Go to Step2 below.
Step 2. Paste in the URL into SiQ's Okta Integration
From the SiQ Web App's Okta Integration, complete the following:
- Click the SSO tab.
- In the SSO Redirect URL field, paste in the URL.
- Click the Activate button.
Attribute Mappings from SiQ to Okta User Profile
As shown in the Okta Universal Directory (UD) Profile Editor, the base profile that Okta imports from SiQ consist of 20+ attributes. Some of these attributes are mapped to the Okta user profile by default.
Custom Attributes
Okta's SiQ application has been enhanced to support user-defined custom attributes, which enables Okta to import more than 20 attributes to SiQ.
These attributes must be created and mapped manually in Okta and then define the Custom Field Name mappings in the SiQ app. The recommended mappings from SiQ to Okta are preconfigured in SiQ's base profile. See Okta Custom Attribute Mapping.
Troubleshooting Tips
Users without a First Name, Last Name, or Department in their SiQ profiles cannot be imported to Okta as new users.
In the event that a department also has teams (sub-departments), SiQ expects Organizations/Divisions that contain top-level organization and department details to also contain the Team Name. For example:
Organization: Engineering with Department: QA |